Krebs on Security

In-depth security news and investigation

Checked Your Credit Since the Equifax Hack?

A recent consumer survey suggests that half of all Americans still haven’t checked their credit report since the Equifax breach last year exposed the Social Security numbers, dates of birth, addresses and other personal information on nearly 150 million people. If you’re in that fifty percent, please make an effort to remedy that soon.

Credit reports from the three major bureaus — Equifax, Experian and TransUnion — can be obtained online for free at annualcreditreport.com — the only Web site mandated by Congress to serve each American a free credit report every year.

Annualcreditreport.com is run by a Florida-based company, but its data is supplied by the major credit bureaus, which struggled mightily to meet consumer demand for free credit reports in the immediate aftermath of the Equifax breach. Personally, I was unable to order a credit report for either me or my wife even two weeks after the Equifax breach went public: The site just kept returning errors and telling us to request the reports in writing via the U.S. Mail.

Based on thousands of comments left here in the days following the Equifax breach disclosure, I suspect many readers experienced the same but forgot to come back and try again. If this describes you, please take a moment this week to order your report(s) (and perhaps your spouse’s) and see if anything looks amiss. If you spot an error or something suspicious, contact the bureau that produced the report to correct the record immediately.

Of course, keeping on top of your credit report requires discipline, and if you’re not taking advantage of all three free reports each year you need to get a plan. My strategy is to put a reminder on our calendar to order a new report every four months or so, each time from a different credit bureau.

Whenever stories about credit reports come up, so do the questions from readers about the efficacy and value of credit monitoring services. KrebsOnSecurity has not been particularly kind to the credit monitoring industry; many stories here have highlighted the reality that they are ineffective at preventing identity theft or existing account fraud, and that the most you can hope for from them is that they alert you when an ID thief tries to get new lines of credit in your name.

But there is one area where I think credit monitoring services can be useful: Helping you sort things out with the credit bureaus in the event that there are discrepancies or fraudulent entries on your credit report. I’ve personally worked with three different credit monitoring services, two of which were quite helpful in resolving fraudulent accounts opened in our names.

At $10-$15 a month, are credit monitoring services worth the cost? Probably not on an annual basis, but perhaps during periods when you actively need help. However, if you’re not already signed up for one of these monitoring services, don’t be too quick to whip out that credit card: There’s a good chance you have at least a year’s worth available to you at no cost.

If you’re willing to spend the time, check out a few of the state Web sites which publish lists of companies that have had a recent data breach. In most cases, those publications come with a sample consumer alert letter providing information about how to sign up for free credit monitoring. California publishes probably the most comprehensive such lists at this link. Washington state published their list here; and here’s Maryland’s list. There are more.

It’s important for everyone to remember that as bad as the Equifax breach was (and it was a dumpster fire all around), most of the consumer data exposed in the breach has been for sale in the cybercrime underground for many years on a majority of Americans. If anything, the Equifax breach may have simply refreshed some of those criminal data stores.

That’s why I’ve persisted over the years in urging my fellow Americans to consider freezing their credit files. A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand.

With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file).

Bear in mind that if you haven’t yet frozen your credit file and you’re interested in signing up for credit monitoring services, you’ll need to sign up first before freezing your file. That’s because credit monitoring services typically need to access your credit file to enroll you, and if you freeze it they can’t do that.

The previous two tips came from a primer I wrote a few days after the Equifax breach, which is an in-depth Q&A about some of the more confusing aspects of policing your credit, including freezes, credit monitoring, fraud alerts, credit locks and second-tier credit bureaus.

This entry was posted on Sunday, March 11th, 2018 at 2:51 pm and is filed under Latest Warnings, Security Tools.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

71 comments

Hi Brian,
I’ve been teaching classes on credit for the past 10 years.
annualcreditreport.com while free is far from the best site out there for analyzing your reports.

I use creditchecktotal.com, owned by Experian. They offer a one dollar trial for 7 days. In return you immediately get all 3 reports and scores in a very readable format. Much better in fact than Experian’s own web site. I tell my clients if they would like a snap shot, download the reports and call to cancel before the 7 days are up and only owe the buck.

That might be good for one-time use. But Brian’s recommendation was to pull a credit report three times a year. Presumably creditchecktotal.com won’t allow you to repeat the “free sample” trick three times a year?

Since you teach this, you probably already know that eventually all the credit bureaus get your information – so one doesn’t necessarily need to go to Equifax to get a free report – chances are that data has caught up to the other reporting services within a few weeks.

You would also know you can get one free report from each service a year. I used to do it that way, so I know it works – I would request one report – usually online – for each different agency about every quarter, to keep up fairly well. At least that is pretty good for free. I always went to https://www.annualcreditreport.com/index.action to make these requests, as they provide them under Federal Law guidelines.

Tried freecreditreport.com and got a message that it could not provide the report online and I must mail in a form. What is the cause of this message? Is there anyway to verify the address for the mail-in form?

I can tell you, after the hack I had fraudsters trying to open loan accounts and a few merchant accounts to process cards.

While we can’t *freeze* our credit files in Canada, you can still add a fraud alert which has slowed them down for me. My score is now healing, after being impacted by ~100 points to the downside over the previous 4 months.

Subscribing to a credit monitoring service and your blog has me covered for now. Thank you Brian.

Many credit cards and banks are now offering free credit scores. Some limited to just the score, but some also show open accounts.
It’s very easy to check your existing credit card and bank accounts to see if they offer free credit scores.

I bank at Wells Fargo and Chase and I have long time security freezes on Experian, Transunion, Equifax, and Innovis. Wells Fargo offers the FICO2 credit score free of charge. Chase offers the Transunion VantageScore 3.0 free of charge.

You can very much get a free credit report from annualcreditreport.com even if you have a freeze. I noticed you said “credit score” which is of course different, but I also don’t have a problem getting a credit score even though I have a freeze. Granted, I get the score from a financial institution with which I had a relationship prior to the freeze, so I don’t if that matters.

The scores are generally not good enough by themselves to tell you really what’s going on. Also because the bureaus use various algorithms depending on the industry the scores will differ from site to site.

By the way, relatedly, I see some credit services, such as TransUnion, are offering credit “locks” that can be lifted via a smartphone app, in addition to the traditional freezes. I assume more convenience comes with more security risks, but I don’t know.

That’s addressed in the Q&A I linked to at the bottom of this piece. Specifically:

Q: I see that Trans Union has a free offering. And it looks like they offer another free service called a credit lock. Why shouldn’t I just use that?

A: I haven’t used that monitoring service, but it looks comparable to others. However, I take strong exception to the credit bureaus’ increasing use of the term “credit lock” to steer people away from securing a freeze on their file. I notice that Trans Union currently does this when consumers attempt to file a freeze. Your mileage may vary, but their motives for saddling consumers with even more confusing terminology are suspect. I would not count on a credit lock to take the place of a credit freeze, regardless of what these companies claim (consider the source).

To those still wavering on which is better, I have only to point to reasoning by Christina Tetreault, a staff attorney on the financial services team of Consumers Union — the policy arm of Consumer Reports. Tetreault notes that perhaps the main reason a security freeze is the better option is that its promise to guard your credit accounts is guaranteed by law, whereas a credit lock is simply an agreement between you and the credit monitoring company.

“Having a contractual agreement is not as strong as having protections under law,” Tetreault said. “The contract may be unclear, may include provisions that allow the other party to change it, or include provisions that you may be better off not agreeing to, such as an arbitration agreement.”

What’s more, placing a freeze on your file is exactly what Equifax and the other bureaus do not want you to do, because it prevents them from making money by selling your credit file to banks and others (including ID thieves) who wish to grant new lines of credit in your name. If that’s not the best reason for opting for a freeze, I don’t know what is.

I just ran through annualcreditreport.com and the Equifax section throws the error “Online Delivery Unavailable: We are not able to deliver your free Equifax Annual Credit Report online.” They provide a PDF form to request my credit report by snail. It seems more cost-effective to have online delivery.

So the Credit Bureaus collects information on me and due to their incompetence allow themselves to be breached, but want ME to pay to protect the data they compiled…PURE EXTORTION…Does this Wikipedia definition fit? https://en.wikipedia.org/wiki/Extortion..

They should be paying me a monthly fee to hold and offer my information for “sale” to money grubbing banks and loan institutions. What is that saying the banking community likes to use… “KNOW YOUR CUSTOMERS”…and the customers should remember…If you can not afford it…DON’T buy it!

The Chase Bank website for managing your credit card allows you to view your current credit score and you can see it graphed over time. It also tells you if something happened to impact your score, e.g. new lines of credit or missed payments. You don’t get any details though.

Is that sufficient for monitoring your credit? I really don’t trust any of these credit report sites.

When I recently bought a new car, the Experian report and TransUnion reports were virtually the same. CreditWise sends me the results by email monthly – that is any changes that have taken place and I can check on it during the month as well. It is free even if you don’t have a Capital One credit card and they haven’t tried to get me to take one of their cards.

As for Equifax, I am utterly disgusted with them to start with and then they started bugging me to pay them money. When I tried to delete their service, they wanted me to provide them with all kinds of personal info including my Social Security number over the phone. NOT happening. They are now blocked.

For several years now, Equifax and Experian have been making it impossible to get free online credit reports. They consistently give you an error message and tell you to order it by mail. Of course, they require you to submit several forms of identification my mail which I refuse to do. I have emailed my states congressman and senators about this. Still waiting for a reply. (of course) I have a feeling that the problem may be with annualcreditreport.com instead of the credit reporting companies.

I’ve been hammering on my congressmen too! We should get at least 3 years of FREE credit freeze because of their incompetence – and by the way, we need to start regulating them, seeing as how they can’t do their fiduciary duty! The reporting agencies have been getting away with light regulation for years, always promising they can do it better without more regulation – Well that is obviously a lie, as we can see by recent history!

My wife also gets consistent errors when she uses annualcreditreport.com and has to submit the request by snail mail along with identity documentation.

One interesting fact is that for the identity documentation requirements they will not accept a US Passport. They accept a pay stub, which is easily forged over US Passport, which is not easily forged.

Just wondering how to handle being unable to get my credit reports through annualcreditreport.com… I went through the online process and had to make a phone call to get my Transunion report, my Experian report I received online, but my Equifax report said they required me to mail in photocopies of all my ID; Social Security card, Driver’s license, and even bills. I absolutely refuse to give copies of these to Equifax after their breach. I wouldn’t trust them with a sharp pencil, never mind hard copies of all my ID. What can I do?

I don’t know if this will work, but you can try putting a fraud alert (alert, not freeze) on your credit record through one of the credit bureaus. When you do, it entitles you to one free credit report from each bureau (according to Transunion https://www.transunion.com/fraud-victim-resource/place-fraud-alert). They’ll likely send the reports by snail mail, though. (You only have to contact one bureau. The one you contact is supposed to notify the other two.)

You can put a fraud alert on your record even if you’ve already frozen your record. Personally, I wouldn’t trust fraud alerts as a tool to protect you. I’m suggesting this only as a strategy to get free credit reports. As for fraud alerts, my experience goes back a few years, but I found that banks and credit providers routinely ignore then, even when you requested that they call you before issuing credit. Never once was I called.

Since the fraud alert sunsets in 90 days, who knows, maybe we can put a new alert on a few days after it expires and trigger the issuance of another set of free reports.

I have a fraud alert with all three bureaus, I requested that they call before issuing credit. Never once was I called. But Capital One did send a letter before they issued credit. That was good enough for me.

The real benefit of an alert is that you need to list a phone number and address to do so. That allows credit providers from checking the supplied information to that one. In essence this is the solution to tehc ore issue the US has: no way to verify identity for credit providers, and no desire among the population to make acquiring credit harder.

I requested three free credit reports online twice from the site you recommended, annualcreditreport.com with my correct personal information, and the site came back with fatal errors both times… that does not surprise me. (btw March 2018 long after the Equifax criminality) Anything where the US Congress is involved – and unprincipled banks – and highly criminalized credit reporting agencies — will either be incompetently run, or a scam. Fact.

Try getting the report from one of the other agencies, like Experian or TransUnion, while still using annualcreditreport. They all sync your data within weeks of each other anyway.

I’m sure Equifax is going to use the excuse their servers are over loaded – but we all know it is just that they will lose money freezing everyone’s files. They are just playing opossum trying to weather the storm.

Why would anyone want to give them more information to lose, either with a freeze, or even an address to confirm with a credit check? Here’s an idea. Make any lending institution the responsible party for issuing a loan or a credit card without your permission…

I gave up. I have things to do in life besides spend all day paranoid watching out for some scammers impersonating me to get a loan. As far as I’m concerned place equfUx are criminal organizations that steal peoples data without permission and sell it the same.
I’ll never be applying for a loan, and know I am not responsible for idiot financial places that give loans based on data from criminal organizations.

Like others here, just tried to get credit reports via annualreports.com. All three failed. Two (Equifax and Transunion) suggested requesting by mail, one gave no option. These organizations are in violation of the law!

This Equifax breach is scary – a lot of our information got hacked and is in the wrong hands.
Large enterprises like Equifax could actually use Deception Technology (like TrapX for example) to detect when & where attackers are hiding in their network.

The way that it works is with special traps that are hidden everywhere in the network. They react exactly like what the attacker is trying to interact with – an IoT device, a linux server, etc.

Many companies are using this technique today and are seeing a lot of success in preventing data breaches.

If anyone is interested in learning more, there is a great blog post about this on LinkedIn, here’s a shortened link – http://bit.ly/2IkBhlB

The first time I had read about this service, I thought that it would be really useful to do as a New Years Resolution.

There may be better strategies, such as spacing the three Annual Reports out evenly across the year. But I’m still in the New Year’s habit.

Five-ish years ago, I somehow mangled the confirm-your-identity Q&A for one of the three. (Or my NoScript utility made it impossible to complete that step properly…) So I could easily get two of the three online, and I would then mail in the third request.

This year, all three Reporting Agencies told me to mail in the request.

Brian joins the long list of online pundits reminding us to check our credit, did you know that you can do so for free at annualcreditreport.com? Thanks, but yes I’ve been told over and over about it, that’s not the problem. The problem is that site is essentially useless.
I just re-tried it a couple of weeks ago and went one-two-three strikes you’re out once again. Tried getting the Experian report, “A condition exists that makes it unable to receive your request at this time.” Transunion choked while pulling data for the KBA questions, “unable to complete your request.” Then annualcreditreport tried to pass me to Equifax and it bombed out right there, never even made it to Equifax’s site.
For all the fact that this is supposed to be the site that is officially endorsed for the purpose, it’s a very poor system. Maybe some of these personal finance columnists nagging us to check our credit should instead write articles blasting annualcreditreport for not doing its job. I would gladly read a column about that!
Hey everybody, did you know you can check your credit report for free at annualcreditreport.com? Bet you didn’t know that …

I don’t think it matters which site you use to get your credit report, nor monitoring. But, I have fought with Equifax for a year to get my report fixed, get my score in line with the other two agencies, only to have a single credit check cost me a negative drop in my score of 90+ points (only by Equifax). It’s obvious they aren’t doing things right, and that they do not care. Service is rude, incomplete, incompetent, and argumentative. They need to go away, permanently. This breach did more damage than they are able to recover from.

creditkarma gives you most of the stuff from your credit reports for free from 2 of the 3 agencies, and gives you weekly updates. The free phone app will alert you to changes too.

Also, I think navy federal gives you all 3 credit reports for like $7 or so. Any members of armed forces are eligible for free account at navyfederal. Also, anyone with a parent who was in armed forces is eligible. I highly recommend it, they have mortgages as well, with 0% down.

not suprirised me at all.
as we all know that your ssn and other type of personal information is sale on black markets.
its goverment whos left this backdoor opened for fellow crooks and criminals.
the old truth is that if you leave door open then offcourse criminals go and take.
shut the g damn doors and all good.

Hi Brian,
After reading your article, I went to annualcreditreport.com but then the paranoid side of me kicked in. is there a possibility of cybercriminals creating fraudulent sites promising free credit report and use that to get our private information.
I get a bit twitchy going to websites that asked me to type in my social security number including the annualcreditreport.com.

What if I had a typo and accidentally went to a fraudulent site? what if your blog was compromised and the link went elsewhere?

It’s wise to question putting your data in anywhere, but you don’t have to use the link from here. You can type annualcreditreport.com in yourself and it will take you to the one the US Government promotes as your right to access the information about you. All other sites could be criminal or they may be legit businesses who may hoover up the information you voluntarily put into their database.

Just check the Federal Trade Commission web site you can’t get it wrong it is just the FTC acronym with the .gov suffix. That is where the government supported free credit checker resides anyway. If it will help, get a browser extension like Web Of Trust to rate the sites you are searching, so you will know the basic reputation of most of them. The only other one I’ve used that was better was a paid version made by McAfee called ‘site advisor’ or later on ‘web advisor’ but they may require you buy a whole raft of products with this utility, that you don’t want, and quite frankly is rather obtrusive for no better than it works. IMO

Last week, I tried to get my free credit report from all three bureaus and each one returned errors. I applied for them through the mail to check for any errors. I’ve potentially been part of at least six different breaches over the last three years and feel that the credit bureaus aren’t doing nearly enough to protect our information.